Practical and provably secure distance-bounding

From contactless payments to remote car unlocking, many applications are vulnerable to relay attacks. Distance bounding protocols are the main practical countermeasure against these attacks. At FSEi¾ź2013, we presented SKI as the first family of provably secure distance bounding protocols. At LIGHTSECi¾ź2013, we presented the best attacks against SKI. In this paper, we present the security proofs. More precisely, we explicate a general formalism for distance-bounding protocols. Then, we prove that SKI and its variants is provably secure, even under the real-life setting of noisy communications, against the main types of relay attacks: distance-fraud and generalised versions of mafia- and terrorist-fraud. For this, we reinforce the idea of using secret sharing, combined with the new notion of a leakage scheme. In view of resistance to mafia-frauds and terrorist-frauds, we present the notion of circular-keying for pseudorandom functions PRFs; this notion models the employment of a PRF, with possible linear reuse of the key. We also use PRF masking to fix common mistakes in existing security proofs/claims.

[1]  E. Kushilevitz Foundations of Cryptography Foundations of Cryptography , 2014 .

[2]  Serge Vaudenay On Modeling Terrorist Frauds - Addressing Collusion in Distance Bounding Protocols , 2013, ProvSec.

[3]  Marc Fischlin,et al.  Terrorism in Distance Bounding: Modeling Terrorist-Fraud Resistance , 2013, ACNS.

[4]  Serge Vaudenay,et al.  Secure and Lightweight Distance-Bounding , 2013, LightSec.

[5]  Marc Fischlin,et al.  Subtle kinks in distance-bounding: an analysis of prominent protocols , 2013, WiSec '13.

[6]  Serge Vaudenay,et al.  Towards Secure Distance Bounding , 2013, FSE.

[7]  S. Vaudenay,et al.  Secure & Lightweight Distance-Bounding , 2013 .

[8]  Serge Vaudenay,et al.  Practical & Provably Secure Distance-Bounding , 2013, IACR Cryptol. ePrint Arch..

[9]  Serge Vaudenay,et al.  On the Need for Secure Distance-Bounding , 2013, CRYPTO 2013.

[10]  Serge Vaudenay,et al.  The Bussard-Bagga and Other Distance-Bounding Protocols under Attacks , 2012, Inscrypt.

[11]  Gerhard P. Hancke Distance-bounding for RFID: Effectiveness of ‘terrorist fraud’ in the presence of bit errors , 2012, 2012 IEEE International Conference on RFID-Technologies and Applications (RFID-TA).

[12]  Duncan S. Wong,et al.  An Efficient Single-Slow-Phase Mutually Authenticated RFID Distance Bounding Protocol with Tag Privacy , 2012, ICICS.

[13]  Serge Vaudenay,et al.  On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols - PRF-ness alone Does Not Stop the Frauds! , 2012, LATINCRYPT.

[14]  Srdjan Capkun,et al.  Distance Hijacking Attacks on Distance Bounding Protocols , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  Serge Vaudenay,et al.  Expected loss bounds for authentication in constrained channels , 2012, 2012 Proceedings IEEE INFOCOM.

[16]  Marc Fischlin,et al.  A Formal Approach to Distance-Bounding RFID Protocols , 2011, ISC.

[17]  Cédric Lauradoux,et al.  How secret-sharing can defeat terrorist fraud , 2011, WiSec '11.

[18]  Cédric Lauradoux,et al.  A framework for analyzing RFID distance bounding protocols , 2011, J. Comput. Secur..

[19]  Srdjan Capkun,et al.  Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars , 2010, NDSS.

[20]  Srdjan Capkun,et al.  Realization of RF Distance Bounding , 2010, USENIX Security Symposium.

[21]  Gildas Avoine,et al.  The Poulidor Distance-Bounding Protocol , 2010, RFIDSec.

[22]  Jorge Munilla,et al.  Attacks on a distance bounding protocol , 2010, Comput. Commun..

[23]  Rafail Ostrovsky,et al.  Position-Based Cryptography , 2014, SIAM J. Comput..

[24]  Gildas Avoine,et al.  RFID Distance Bounding Protocol with Mixed Challenges to Prevent Relay Attacks , 2009, CANS.

[25]  Gerhard P. Hancke,et al.  Confidence in smart token proximity: Relay attacks revisited , 2009, Comput. Secur..

[26]  Gildas Avoine,et al.  An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and Memory Requirement , 2009, ISC.

[27]  Gildas Avoine,et al.  The Swiss-Knife RFID Distance Bounding Protocol , 2008, ICISC.

[28]  Selwyn Piramuthu,et al.  Distance Bounding Protocol for Multiple RFID Tag Authentication , 2008, 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing.

[29]  Jorge Munilla,et al.  Security Analysis of Tu and Piramuthu's Protocol , 2008, 2008 New Technologies, Mobility and Security.

[30]  Jorge Munilla,et al.  Distance bounding protocols for RFID enhanced by using void-challenges and analysis in noisy channels , 2008, Wirel. Commun. Mob. Comput..

[31]  Serge Vaudenay,et al.  On Privacy Models for RFID , 2007, ASIACRYPT.

[32]  Kyung Oh Lee,et al.  SLAP - A Secure but Light Authentication Protocol for RFID Based on Modular Exponentiation , 2007, International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies (UBICOMM'07).

[33]  J. Tykal,et al.  Semantic Web Repository And Interfaces , 2007, International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies (UBICOMM'07).

[34]  Steven J. Murdoch,et al.  Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks , 2007, USENIX Security Symposium.

[35]  Bart Preneel,et al.  Distance Bounding in Noisy Environments , 2007, ESAS.

[36]  Juan Manuel González Nieto,et al.  Detecting relay attacks with timing-based protocols , 2007, ASIACCS '07.

[37]  Yuanfei Tu RFID Distance Bounding Protocols , 2007 .

[38]  Oded Goldreich Foundations of Cryptography: Volume 1 , 2006 .

[39]  Markus G. Kuhn,et al.  An RFID Distance Bounding Protocol , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[40]  Laurent Bussard,et al.  Distance-Bounding Proof of Knowledge to Avoid Real-Time Attacks , 2005, SEC.

[41]  Laurent Bussard Distance-bounding proof of knowledge protocols to avoid terrorist fraud attacks , 2004 .

[42]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[43]  David Chaum,et al.  Distance-Bounding Protocols (Extended Abstract) , 1994, EUROCRYPT.

[44]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[45]  Yvo Desmedt,et al.  Identification Tokens - or: Solving the Chess Grandmaster Problem , 1990, CRYPTO.

[46]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[47]  W. Hoeffding Probability inequalities for sum of bounded random variables , 1963 .

[48]  H. Chernoff A Measure of Asymptotic Efficiency for Tests of a Hypothesis Based on the sum of Observations , 1952 .

[49]  A. Schuster An Introduction to the Theory of Optics , 2007, Nature.